Wed, 1 Nov 2023 20:36:17 +0530, /JITHIN K/:
The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when
I check the change log
https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog
I could see that security update for CVE-2020-17525 included in the
1.13.0-3ubuntu0.2 but patches for other three were not included
(CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the
next Ubuntu 20.04.x release they include patches for these vulnerabilities?
Funny, I'm not seeing the latter three related to Subversion:
* https://nvd.nist.gov/vuln/detail/CVE-2021-21298 (Node-Red)
* https://nvd.nist.gov/vuln/detail/CVE-2021-21297 (Node-Red)
* https://nvd.nist.gov/vuln/detail/CVE-2021-21296 (Fleet)
On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote:
CVE-2020-17525: Denial of service vulnerability in mod_authz_svn
module. This vulnerability can be exploited by an attacker to cause
Apache Subversion to crash.
CVE-2021-21298: Insecure deserialization vulnerability in
libsvn_xml library. This vulnerability can be exploited by an
attacker to execute arbitrary code on the Subversion server.
CVE-2021-21297: Heap-based buffer overflow vulnerability in
libsvn_fs_x library. This vulnerability can be exploited by an
attacker to execute arbitrary code on the Subversion server.
CVE-2021-21296: Integer overflow vulnerability in libsvn_diff
library. This vulnerability can be exploited by an attacker to cause
Apache Subversion to crash.
--